Monday, November 19, 2018

Before we invented KeyReel, we certainly used our share of password apps, but couldn’t find the right combination of features, security, and ease of use. So what does KeyReel offer users that differentiate it from RoboForm and Keeper?

RoboForm

RoboForm is a cloud-based form filler and password manager that supports multiple platforms and browsers. Users can save passwords, financial and other personal data to automatically fill forms online.

Due to its cloud server, RoboForm can sync data across devices. It also provides offline access to data, and its desktop version offers a local storage option. Users can share files or folders securely and log into local desktop applications automatically, too.

Why Isn’t It Enough?

RoboForm is simple and easy to use, without an overload of features, and some useful extras, too. However, as we’ve mentioned in previous posts, we were looking for a solution that would allow us to avoid storing passwords on the cloud. Cloud storage can be secure but has inherent vulnerabilities because it is accessed via a network connection. But we still wanted to be able to log in as conveniently as cloud-based password apps allow.

Users tend to think of the ability to sync between devices as a convenience, but it can actually be a weakness. The more devices you have on one account, the less control you have over the data on all those devices. Think about changing the data on a phone and having it sync to a desktop and laptop, not realizing the laptop has been compromised--and now all your latest passwords are available to a hacker.

Overall, although Roboform is convenient for password auto-fill, it’s mainly a form-filler designed to save time, not a password manager designed to make logins transparent and secure.

Keeper

Keeper supports multiple platforms and browsers. Its cloud-based vault allows for many convenient features such as the ability to sync between devices and instant autofill. Besides that, users can save several types of files other than login data, send and receive files or message each other securely.

Users can log in using biometric verification (fingerprint) and dual-factor authentication to a smartwatch or other device.

As for localization, Keeper is integrated with hardware-based security devices like Yubikey. It also has several servers located in North America and Europe, so users can limit use and access to their accounts within the geographical area of a particular server.

Why Isn’t It Enough?

We appreciated the extra security measures that Keeper offers, but many of them stem from the vulnerabilities of the cloud. Large cloud servers are the targets of choice for hackers, who stand to gain information from millions of users. If there were a way to enjoy convenient features like these locally, we’d take it!

KeyReel

When we decided to solve the problems we noted in password managers like these, we knew the solution was likely simple. We wanted an experience that would provide the local security of a hardware-based security device--without having to locate it and plug it in every time we needed to browse the web. We also knew that the security of any login experience needed to be smooth in order to be worth using.

We discussed the concept of “keyless auto entry,” and kept it within sight as we tried several methods of transferring information securely to the web without using a network. Bluetooth was the best option because it could be securely linked to another intelligent device: the smartphone, which could act as the encrypted password vault, second-device authentication factor, and secure link to the computer. No need to pay $50 for Yubikey, and it works in an instant so that the login is barely registered before it’s completed.

Today, KeyReel isn’t only for storing, auto-filling, and generating strong passwords. It can also store notes in any set of credentials, and securely copy and paste passwords from your iPhone’s password vault into your application. It also offers two-factor authentication you can verify with a PIN or TouchID. But that’s just the beginning.

KeyReel is coming to Android soon and will continue its development into the ultimate login assistant for users everywhere who love the web but hate the hassle of logging in. Going premium soon, but for now, it’s still free! Try it! If you have a password manager and you’re curious, you can import your password data to your KeyReel account automatically.

Monday, November 12, 2018

This is the second in our series examining why we decided to build KeyReel even though there are so many popular password apps out there already. This time, let’s see how KeyReel stacks up to Dashlane and True Key.

Dashlane

Dashlane is a cloud-based password app that allows users to sync account data across multiple devices on all major platforms. It also has a few unique features that set it apart from other popular password managers.

Users can change the passwords for all their accounts at once, which is useful when hacking is suspected. It can also find forgotten online accounts, which is helpful for “cleaning up” accounts so users don’t have sensitive information on sites they no longer use.

It is touted to be easy to use on all platforms, and better at web parsing than most other popular password apps. Credit-monitoring, identity-theft services, and insurance, and dark-web monitoring are a few of its Premium and Premium Plus-level features.

All these features make Dashlane a hefty app that comes with an online account--in other words. it’s one more thing - actually, several more things, if you get the extra services--to check.

The feature set also makes it nearly twice as expensive as most of its competition. Its free version is limited to 50 accounts per user, making the choice between Dashlane’s hefty feature set you appreciate but probably won’t use and a cheaper option like LastPass or 1Password clear.

Why wasn’t it enough?

We wanted everyone to have access to convenient, high security logins that had all the features we and our users wanted most. That meant it couldn’t be too expensive for most users to consider downloading on the spot.

Although the features Dashlane offers are useful, Dashlane does not solve the problem with giving a third party control over our data storage on the cloud. Large cloud servers are highly conspicuous targets for hackers. As software engineers and cybersecurity experts, we preferred to keep our passwords not only encrypted but out of reach.

True Key

True Key is a free browser extension for Firefox or Chrome. It logs users in using biometrics as well as a master password. True Key logs users in with a fingerprint, retina scan, or--in the case of Windows--facial recognition. It also has a password generator.

It automatically fills in the login data of every account accessed while the user is signed in to True Key. Passwords are stored encrypted, locally on a user’s device. It uses the cloud to allow account info to sync across devices, which True Key can recognize as the user’s.

With a True Key account, users can manage websites and financial information as well as passwords. Its free version has a 15-account limit, but it’s a good starter password manager in terms of simplicity and ease of use. It also has a password generator.

Why wasn’t it enough?

True Key has no native app for MacOS or support for the extension on Safari, which makes it inconvenient for Mac users. But the main issue that caused us to keep shopping is security related.

Although considered the future of security, biometric authentication is actually less secure than password authentication. Fingerprints, retinas, and faces--these are your passwords in plain sight. No matter how unique, once revealed, they can be copied.

Fingerprints can be transferred and printed, retinas can be hacked, and photographs or advanced 3D-models can be used without the knowledge or consent of the user. On top of that, none of these can be changed once compromised.

KeyReel

We built KeyReel to allow everyone to eliminate the ever-present danger of exchanging sensitive data over the internet. By making the iPhone the authentication key that stores passwords encrypted locally, KeyReel ensures your data cannot be accessed by any network and requires a special local connection to be accessed by your computer.

We believe passwords are the best way to keep accounts safe to date. However, KeyReel allows TouchID as a second authentication factor for certain sensitive sites (such as banking, medical, and other personal accounts).

This is because the first factor is a locally transferred request from one recognized user device to another. In order to unlock the account, the user must be in possession of both devices to verify using TouchID. But if you prefer, you can use a PIN code as your second authentication factor for specific sites instead.

However, transferring sensitive data locally can be done using KeyReel’s clipboard sharing feature. Use it to copy passwords and other data from your phone and transfer it directly into a desktop application’s login screen.

Above all, KeyReel’s focus is on the smoothness of the login experience. We want to make sure our feature set never gets in the way of our goal to make KeyReel the ultimate login experience, not another thing to “check.”

We’re going to be launching its premium version soon, so try KeyReel now! You can even import your passwords from Dashlane or True Key to make it easier to get started. Remember, all your data stays on your device, and syncs only locally. Ready?

Sunday, November 4, 2018

The most popular paid password managers out there have strengths that make them the first choice of millions of users. So why did we build KeyReel? Well, let’s see how KeyReel stacks up compared to LastPass and 1Password.

LastPass

LastPass is one of the most popular password apps because it’s among the least expensive and it’s simple to use. It’s built on a cloud server that stores all your passwords and allows you to access them from any device on any platform.

You only need one password to log in to the vault that will instantly fill in the login details for any account stored in it, so it’s easy to make one that’s long and strong. The paid version allows you to require a second authentication factor.

Why isn’t it enough?

When you need to log in, it may be convenient to only need to remember one password, but it’s also a hassle to use it every time. Users will check the “keep me signed in” box on accounts they use frequently just to avoid having to enter any password at all. This is a dangerous habit that literally leaves accounts open to hackers 24/7, even while the computer isn’t in use by the user. LastPass doesn’t solve it by replacing many passwords with one. This makes it virtually as insecure as storing your password in the browser itself--and the password managers in most popular browsers are not known for best security.

LastPass stores all user information on its own cloud server. It makes a favorite target of hackers: a gold mine full of the sensitive account information of so many users. In 2015, LastPass’s server actually succumbed to a raid.

We wanted to log in automatically and keep our data out of the crosshairs of hackers. And we noticed that LastPass was buggy. So it didn’t work well on many sites, and on others it simply didn’t work, requiring us to create entries manually.

And although convenient, a password manager that syncs data across multiple devices on a network makes the loss of just one device a threat to all user data.

1Password

Like LastPass, 1Password also stores your passwords on the cloud so you can access them using one “master password” from its cloud server. 1Password touts the fact that its components are standard and open source.

User data is stored encrypted on the server, and can only be accessed by the master password, which only the user knows.

Each user gets a secret key that strengthens the master password by being generated locally.

You can store passwords and many other types of sensitive data, tag and sort it in the ways that are most convenient for you, and logs you in automatically.

Why isn’t it enough?

1Password has some of the same drawbacks as LastPass, being a cloud server most likely to be targeted by hackers, as well as requiring a password for every single login. In fact, it was criticized for discontinuing its offline version. But all its myriad features and options also make 1Password a lot more app than we bargained for, with many more features than most users will need.

And just as with LastPass, we wanted a password app that allowed us to keep control of and manage our own data. We noticed that entering that master password over and over again throughout one browsing session got tedious. Tedium is dangerous when it comes to security because it tempts users to create simple, low-security master passwords. And that defeats the purpose of the app.

Besides, a keylogger or spycam has a higher chance of compromising master passwords that need to be entered multiple times a day--and may be entered in the wrong entry field due to user error, exposing all its characters on screen.

1Password’s focus on managing passwords actually makes the organization of passwords another thing to worry about. We wanted something that allows passwords to work like a key does in a lock: keep your key safe until you need to use it, and don’t worry about it it until you need it again. To us, the safety and ease of the login experience counts most toward a smoother browsing experience. So we kept searching for a light, mostly invisible app, with only the features users love and use most.

KeyReel

So rather than focusing on the organization of secure passwords and files, KeyReel’s iPhone and MacOS apps sync with its browser extension to make login experience itself minimalist, safe, and local. Passwords are stored in an encrypted vault on your iPhone and accessed by your Mac via secure, local Bluetooth connection.

You don’t need ever to enter your master password (unless you recovering database from the backup). Whenever you browse on your computer with your iPhone within Bluetooth range, the requested information automatically appears in the login screen. When you pick up your phone and leave your computer behind, the encrypted Bluetooth link is broken, and your passwords stay with you on your phone.

For more sensitive accounts that store banking, medical, and other personal data, you have the option to add a second authentication factor sent to your phone, which you can verify via PIN or TouchID. Because your passwords are stored locally and sent via local connection, the information never crosses the path of any hacker on any network.

Although the local connection gave us peace of mind about its safety for data storage and transfer, we still wanted the speed and convenience of cloud apps. So we built lightweight iOS and MacOS apps, and a practically invisible web extension. As the three components run as one, it’s barely noticeable in operation.

Feedback from beta-testers and early adopters told us the most important features to them are data import/export and password generation capabilities. So we’ve added those as well as the ability to add notes to each account, but we’ve kept our focus on the login experience. Now KeyReel’s advanced web parsing is better at detecting login screens than both LastPass and 1Password.

If you want to try KeyReel, now’s the time! We’re going to be switching to a premium model soon as part of KeyReel’s growth into the ultimate login assistant. We would love to have you with us on the journey. Remember: all your data stays with you, you get access to all its features, and you don’t even need to set up a new account. Happy logins!